A Close Look at U.S., U.K. Penalties

When it comes to doling out penalties in the wake of health information breaches, the United Kingdom favors issuing frequent fines for relatively smaller violations, while the United States takes a "less is more" approach, entering comprehensive resolution agreements for a handful of breaches that include financial settlements.

The U.K.'s high-profile action calls attention to the government's low tolerance for privacy violations. Among the latest cases was a Â£175,000 ($274,000 U.S.) fine for mistakenly posting online sensitive personal information about nearly 1,400 employees of a community health service trust; a Â£60,000 ($94,000) fine for the mismailing of medical records and a Â£90,000 ($136,000) fine for patient lists being faxed repeatedly to the wrong recipient.

The largest U.K. fine so far, Â£325,000 ($508,000), stemmed from a 2010 incident involving the sale on the Internet of hard drives containing sensitive health information on tens of thousands of individuals.

In the U.K., penalties have also been levied against individuals involved with health data breaches, including more than Â£1,500 in penalties and other fees changed in January to a former health worker who pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband's family to obtain their new telephone numbers.

The U.S. Approach

By comparison, U.S. authorities have announced a total of nine resolution agreements since 2008 with a total of $8.8 million in settlement payments.

Only one case so far, against the clinic Cignet Health, has involved a civil penalty for a HIPAA privacy violation. But that case did not stem from a breach; it dealt with Cignet's refusal to provide patients with copies of their medical information, and then refusal to cooperate with federal investigators. The penalty totaled $4.3 million.

In June, OCR grabbed headlines when it announced a resolution agreement, with the Alaska Department of Health and Social Services that included a $1.7 million settlement. While a stolen USB drive potentially containing data on 501 Medicaid beneficiaries sparked the case, the penalty was tied to pattern of HIPAA non-compliance, including lack of risk assessments and staff training, discovered during OCR's investigation of the lost device incident.

The other two U.S. resolution agreements this year were a $1.5 million settlement with BlueCrossBlueShield Tennessee related to the theft of 57 unencrypted disk drives containing personal health information for 1 million patients; and a $100,000 settlement with Phoenix Cardiac Surgery, P.C , which posted patient information on a web-based calendar.

HIPAA enables OCR to issue civil penalties when a settlement cannot be reached, she notes. But no breach cases have resulted in a civil penalty so far.

One way OCR is attempting to build interest in breach prevention is to post a list of major incidents to its website. The hope is that the potential adverse publicity from the postings will lead organizations to improve their security efforts.

Corrective Action

A major focus of the U.S.'s resolution agreements is a corrective action plan that spells out, in detail, a game plan for preventing future breaches.

The U.K. also demands that missteps be fixed, says Greg Jones, a spokesman for Information Commissioner's Office, the U.K.'s independent agency which enforces data privacy for individuals.

"We expect organizations to have taken action to ensure that security issues identified during a data breach are resolved in order to prevent a similar breach in the future," he says. "In situations where we still believe further measures are required, we can issue the organization with an undertaking which explains the measures we require them to introduce to improve their compliance with the UK Data Protection Act."

For example on April 30, Anneurin Bevan Health Board in the U.K. was issued with a monetary penalty of Â£70,000 following an incident where a sensitive report - containing explicit details relating to a patient's health - was sent to the wrong person, Jones says. "On the same day, the organization also signed an 'undertaking' to improve their compliance with the Act, which explained a number of further measures that we required them to introduce in order to keep their patients' information secure," he says.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.